News items for tag linux - Koos van den Hout

2021-03-27 I bought a secondhand morse paddle and made a video about it 2 weeks ago
For a while I had a notification set for someone selling a morse paddle. Finally one came along at a reasonable price so I bought it.

And.. I mentioned this detail to some people at work. Who had an idea of what a morse key is, but didn't know about morse paddles. So with my big mouth I said "I'll make a video about it". This was triggered by the fact that I recently learned about OpenShot non-linear video editor which is available for Linux too.

So I created a video. And found out making a video of 30 seconds is a lot more work than 30 seconds. I watched some tutorial videos about OpenShot first and thought about what I wanted to show. I haven't added spoken comments because I didn't feel like doing those too.

The video isn't great, I can see several beginner mistakes. But I get the point across of what a paddle does. There is a continuity problem because I used sunlight. Which isn't very constant. And I made several clips because I didn't think I would get everything I wanted to show right. But now there are changes in light and a bit in camera angle, even with using a tripod.

And our neighbours were busy hammering indoors, so that can be heard too.

Tags: , , , ,
2021-03-17 Upgraded another system at home, now serving webpages with TLSv1.3 3 weeks ago
Encrypt all the things meme After the recent work on updating the TLS settings for the webservers at home there was one element missing: TLSv1.3 support.

This needed an upgrade of openssl and the 'easy' way to get there was a full upgrade of the server running the external facing proxy. So I took that step yesterday evening. Made a snapshot first and started upgrading devuan ascii to beowulf.

After the update a lot of things were broken: I defined a non-standard location for bind9 logging and AppArmor disagreed. Without a working nameserver a lot of stuff breaks internally! So after managing to get on the upgraded system with console I changed the AppArmor rules to allow it. After that things started again.

For the next time I manage to break the resolving nameserver: I should remember that avahi/multicast dns works on most systems even when DNS resolving fails. I checked and I can use .local names to get to the right equipment.

After checking how everything is running for about a day I threw out the old snapshot.

Tags: , , , ,
2021-03-11 Sendmail 8.15.2 in Ubuntu 20.04 not even trying IPv6 1 month ago
I needed a virtual machine with ubuntu so I did the base installation and also configured unattended-upgrades and sendmail to get the results. But I noticed after a while I never saw any mail from that machine.

Problem soon found:
mailer=relay, pri=30131, [], dsn=4.0.0, stat=Deferred: Connection timed out with
The machine wasn't even trying to reach the mailserver over IPv6! On the internal network with servers it will fail over IPv4 because of the portforwarding rule for the port from the outside IP to the mailserver but I never expected an internal machine to try IPv4.

Somehow this seems default for sendmail 8.15.2 in Ubuntu 20.04. I could find someone else asking this: No IPv6 outbound from Sendmail starting with 20.04 but no answers how/why.

At first I suspected systemd-resolved as the old saying goes that all sendmail problems are caused by DNS. But disabling that didn't fix the problem.

I now have the IPv6 address hardcoded in the configuration, that works.
dnl FEATURE(`msp', `', `25')
FEATURE(`msp', `[2001:980:14ca:1::23]', `25')
I also found out the option ResolverOptions=+WorkAroundBrokenAAAA was set but not causing this.

Tags: , ,
2021-03-06 Digging for more entropy 1 month ago
Looking at the newest graphs I created with grafana of system statistics I noticed the available entropy was still getting dangerously low from time to time on the system that runs the home server. For some reason this system has no available hardware random number generator. Even after the earlier changes to add more sources of randomness it was sometimes dropping low, especially during dnssec signing operations.

This does mean that the encryption processes for TLS in the webservers may also get delayed. Which is really not what I want.

Time to update settings on randomsound and haveged: I want a minimum of 2048 bits of available entropy. Sofar, this seems to have the desired effect.

Tags: , , ,
2021-03-01 Updating my statistics gathering 1 month ago
Grafana dashboard sample For years and years I have been using rrdtool to gather and graph statistics at home. I started gathering home temperatures around 2008 but I see NTP statistics gathering from 2003 and my last mrtg graphs were created in October 2002. So that suggests I've been using rrdtool since that date.

Anyway, I'm looking at newer options. After some asking around I installed influxdb and started gathering data. I adjusted some of my data gathering scripts around rrdtool to also put the data in influxdb.

The easiest data to gather and graph was the load average, available entropy and number of processes for a number of systems at home. So that dashboard has been built and allows selection of the wanted computer.

My first conclusion is just collecting data and thinking what kind of graphs to create later is a lot easier with influxdb. With rrdtool the round robin database is designed around the graphs you want. In this case I just start gathering data and when data has come in start playing with possible graphs from that data.

The next challenge is to set the rules for maintaining the old data. One of the triggers to look at other options was that I was at the end of a nearly 11-year cycle of stored temperatures in rrdtool, and I wanted to keep that history if possible.

I don't have to keep every measurement forever, but with storage being cheap I think I will keep daily averages forever when this is 'production'.

Tags: , ,
2021-02-08 Checking certificates for expiry time left to determine renewal 2 months ago
Encrypt all the things meme I recently almost had an expired certificate for a public service because I did some fiddling with the file and ended up with a file modified time which had no relationship to the certificate request time.

Time to use the -checkend option I noticed in openssl x509 to test the actual certificates for upcoming expiry. So I redid the cronjob around dehydrated to do just that and had a cleanup. A candidate list of certificates to renew is created from certificates that are about to expire, certificates that have a changed certificate signing request and certificates for which there is only a signing request. That list is sorted and deduplicated and fed to calls to dehydrated.

It's now one script for both certificates that are renewed via the http-01 method and for certificates that are renewed via dns-01. By now both methods work fine for me, it depends on the use of the name which is fitting.
Read the rest of Checking certificates for expiry time left to determine renewal

Tags: , , ,
2021-01-20 Playing with DUDE-Star and actually hearing audio 2 months ago
I recently noticed the DUDE-Star software which allows access to D-Star, DMR, YSF, NXDN, P25, M17. For those who read here and got dazzled by these abbreviations: These are radio systems where voice data can be transported both via radio signals and via Internet data streams.

In all of these systems there are ways to connect radio / network interfaces together to make contacts over longer distances possible. This software allows access to all these interfaces and will do the audio encoding/decoding so it will use a microphone and loudspeaker.

I haven't had any luck in hearing D-Star audio yet which may be due to not being a registered D-Star user or due to not selecting busy reflectors (the computer systems that allow linked radios and networks to have the same audio data: an audio chatroom). I browsed around other systems and found busy talkgroups in YSF where I heard chatter in Dutch and English last night.

It is nice to see software like this making it all accessible without investing in hardware. The codecs used have a serious influence on the audio quality, and I was warned the quality from DUDE-Star isn't as good as from the actual radios. From what I heard some of the digital audio modes the quality isn't very good (to leave lots of room for error correction).

Tags: , ,
2021-01-15 Fiber to the shed: testing the fiber optic transceivers 2 months ago
I wanted to get an idea whether the network over the fiber optic transceivers is reliable. So at the moment our dining room table looks like a network lab.

For testing networks there is iperf. I found out the Raspberry Pi 3B+ can't keep up with 100 Mbit/second UDP packets, so I searched for a speed where the Pi performs ok. This turns out to be 30 mbit, at higher speeds there is packet loss. I also had to reduce packet size to avoid fragmentation which costs CPU. I use IPv6 because that's what I'm used to. It turned out later the maximum speed without loss is higher with IPv4 than with IPv6.

Server on the raspberry pi:
koos@raspberrypi:~ $ iperf --version
iperf version 2.0.9 (1 June 2016) pthreads
koos@raspberrypi:~ $ iperf -s -V -u
Server listening on UDP port 5001
Receiving 1470 byte datagrams
UDP buffer size:  160 KByte (default)
Test without fiber optic transceivers in the path. Layer 2 route: virtual machine - host machine - utp - network switch - utp - network switch - utp - raspberry pi
koos@wozniak:~$ iperf --version
iperf version 2.0.9 (1 June 2016) pthreads
koos@wozniak:~$ iperf -V -u -b30M -i 10 -t 120 -M 10 -l 1400 -c ..
Client connecting to .., UDP port 5001
Sending 1400 byte datagrams, IPG target: 373.33 us (kalman adjust)
UDP buffer size:  208 KByte (default)
[  3]  0.0-120.0 sec   429 MBytes  30.0 Mbits/sec
[  3] Sent 321430 datagrams
[  3] Server Report:
[  3]  0.0-120.0 sec   429 MBytes  30.0 Mbits/sec   0.004 ms    0/321430 (0%)
Test with fiber optic transceivers in the path. Layer 2 route: virtual machine - host machine - utp - network switch - utp - network switch - utp - fiber optic transceiver - fiber - fiber optic transceiver - utp - raspberry pi
koos@wozniak:~$ iperf -V -u -b30M -i 10 -t 120 -M 10 -l 1400 -c ..
Client connecting to .., UDP port 5001
Sending 1400 byte datagrams, IPG target: 373.33 us (kalman adjust)
UDP buffer size:  208 KByte (default)
[  3]  0.0-120.0 sec   429 MBytes  30.0 Mbits/sec
[  3] Sent 321430 datagrams
[  3] Server Report:
[  3]  0.0-120.0 sec   429 MBytes  30.0 Mbits/sec   0.007 ms    0/321430 (0%)
Trying with IPv4 shows that packet loss starts to occur above 45 mbit. This is an interesting difference.

But the important conclusion is that there is no packet loss over the fiber path. There may be a bit more latency, but that's not a surprise. As a last test I looked at purely ping traffic using IPv6.

Without fiber in the path:
koos@wozniak:~$ ping -c 100 -i 0.2 -q ..
PING ..(.. (2001:xxxx)) 56 data bytes

--- .. ping statistics ---
100 packets transmitted, 100 received, 0% packet loss, time 20192ms
rtt min/avg/max/mdev = 0.567/0.680/0.866/0.063 ms
With fiber in the path:
koos@wozniak:~$ ping -c 100 -i 0.2 -q ..
PING ..(.. (2001:xxxx)) 56 data bytes

--- .. ping statistics ---
100 packets transmitted, 100 received, 0% packet loss, time 20191ms
rtt min/avg/max/mdev = 0.625/0.738/0.828/0.046 ms
This also shows a bit more latency over fiber.

The extra latency is probably due to the fiber optic transceivers containing a network switch.

Tags: , , ,
2020-12-23 A bluetooth speaker that is also a serial port 3 months ago
I acquired a Blaupunkt BLP6100 Bluetooth speaker. Which turns out to support the following services via bluetooth:
  • Headset (audio for phone calls)
  • Handsfree operation (use buttons to accept, hangup or reject calls)
  • Audio sink (the main function of a bluetooth speaker)
  • Serial port
That last one I did not expect. I have tried opening the port with minicom and it will say carrier detect but sofar trying to wake it at 115200 or 9600 hasn't resulted in anything.

As a linux audio device it works fine. Or as a bluetooth speaker for my phone so I can listen to podcasts while walking around at home.

But the serial port makes me wonder!

Tags: , ,
2020-12-13 Makefile logic not working perfectly 3 months ago
I noticed the certificate for was expired according to my webbrowser. I dug up the reason and found out the scripts to maintain the ocsp files managed to confuse the Makefile to keep the haproxy certificates updated.

The ocsp responses have more updates than the certificates, but a certificate update needs to be processed anyway.

So I updated the Makefile in the previous post. The dependency is now certificate-stamp depends on installed certificates, installed certificates depend on copied certificates. And installing the certificate also updates the ocsp response.

Tags: , , , ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.34 2020/12/31 15:36:31 koos Exp $ in 0.021446 seconds.